Active Directory Administrator should regularly clean up stale computers from Active Directory. This is a fact. If you haven’t automated the stale computer cleanup process, take 10 minutes to read this background article and to set it up. Doing so will make your life easier. After all, cleaning up your stale computers will help you by:

When a computer is marked as stale, it can occasionally come back to life! I like to call these zombie computers. It makes my day sound more exciting…

Binnnnarrry….. (said in a creepy zombie voice)

How do these stale computers come back to life? Here is an example: a user might have a laptop off the domain for a year. This laptop would be marked as stale and disabled. When the user returns, a help desk technician might re-enable the laptop without moving it from your Stale Computers container.

Just this week, we had 9 computers that had this issue. That meant 9 computers were not being managed by Group Policy! That meant 9 computers that did not have AppLocker, UAC, or other security settings applied to them! That mean 9 computers with a craving for human brains! Fortunately for us, PowerShell can fix two out of these three problems automatically! A shotgun will fix the last one…

The Enabled Inactive Computers Script

The script below will monitor your stale OU for computers that re-enable themselves. Our Stale OU is located in the root of our domain and is named Computers_Stale. You will need to change the 3rd line ($Computer = ) to match your stale OU. You will also need to edit this line:

PowerShell

1

Where-Object{$_.ParentContainer-ne"TEST.local/Computers_Stale"}

When a zombie computer comes back, you will receive an email alert. To enable this, you will need to configure the $emailFrom, $emailTo, and $smtpServer lines.

This script uses the same logic found in our Automatically Name Computer script. It looks at the computer prefix (computer name minus last two characters). It will then search AD for matching computers and select a unique (single) OU. Finally, it will move the stale computer from the stale OU to the matching OU. If your computer naming scheme uses more than 2 ending characters (ex: 001 , 113, etc), change the “Length-2” section to “Length-YOURNUMBER”

In the event that a computer is enabled but a matching computer isn’t found, you will receive an alert email letting you know about this. As I mentioned above, this script prevented 9 problems on our opening day of school. It took only 5 minutes to setup.

So what are you waiting on? Copy the script above and protect yourself from the dreaded “enabled inactive computer”!

4 thoughts on “Enabled Inactive Computers or Why I fear the Zombie Compocalypse!”

Why not simply lock down permissions on the Stale Computers OU to prevent anyone with anything less than domain admin rights from enabling the objects in that OU. (I would hope that your helpdesk does not have domain admin rights.)